Artículos

Hardware Architecture and Cost/time/data Trade–off for Generic Inversion of One–Way Function

Arquitectura en Hardware y Compromiso de Costo, Tiempo y Datos para Inversiones Genéricas de Funciones Unidireccionales

Sourav Mukhopadhyay¹ and Palash Sarkar²

¹ Electronic Engineering Department Dublin City University Glasnevin, Dublin 9 Ireland. E–mail: masourav@eeng.dcu.ie

² Applied Statistics Unit Indian Statistical Institute 203 B.T. Road, Kolkata India–700108. E–mail: palash@isical.ac.in

Article received on March 1, 2008
Accepted on October 3, 2008

Abstract

In many cases, a cryptographic algorithm can be viewed as a one–way function, which is easy to compute in forward direction but hard to invert. Inverting such one–way function amounts to breaking the algorithm. Time–Memory Trade–Off (TMTO) is a twenty five years old generic technique for inverting one–way functions. The most feasible implementation of TMTO is in special purpose hardware. In this paper, we describe a systematic architecture for implementing TMTO. We break down the offline and online phases into simpler tasks and identify opportunities for pipelining and parallelism. This results in a detailed top–level architecture. Many of our design choices are based on intuition. We develop a cost model for our architecture. Analysis of the cost model shows that 128–bit keys seem safe for the present. However, key sizes less than 96 bits do not provide comfortable security assurances.

Keywords: One–way function, generic method, time/meomry trade–off cryptanalysis.

Resumen

En muchos casos, un algoritmo criptográfico puede ser visto como una función de sólo ida, la cual es fácil de calcular pero difícil de invertir. Invertir una función de sólo ida es equivalente a romper el algoritmo criptográfico. Compromisos de tiempo–memoria (TMTO por sus siglas en inglés) es una vieja técnica genérica concebida más de veinticinco años atrás para invertir funciones de sólo ida. La implementación más factible de TMTO es la de arquitecturas de hardware de propósito especial, y es así que en este artículo, describimos una arquitectura de ese tipo capaz de implementar dicho método. Subdividimos las fases fuera de línea y en línea del algoritmo en tareas simples e identificamos oportunidades para paralelizar y/o utilizar técnicas de tubería. Este proceso nos condujo a proponer una arquitectura de alto nivel muy detallada, en la cual muchas de las elecciones de diseño estuvieron basadas en la intuición. Asimismo, desarrollamos un modelo de costos para nuestra arquitectura. El análisis del modelo de costo sugiere que las llaves de 128 bits pueden ser consideradas seguras en la actualidad. Sin embargo, las llaves con longitudes menores de 96 bits no brindan garantías de seguridad suficientes.

Palabras Claves: Funciones de sólo ida, método genérico, cripto–análisis de compromiso tiempo memoria.

DESCARGAR ARTÍCULO EN FORMATO PDF

Acknowledgments

Authors would like to thank anonymous reviewers for providing constructive and generous feedback. Despite their invaluable assistance any error remaining in this paper is solely attributed to the author.

References

1. 3GPP. 3rd generation partnership program, http://www.3gpp.org/.        [ Links ]

2. 3GPP (2003). 3gpp ts 55.215 v6.2.0 (2003–09), a5/3 and gea3 specifications. http://www.gsmworld.com.        [ Links ]

3. Amirazizi, H. and M. Hellman (1988). Time–memory–processor trade–offs. IEEE Transactions on Information Theory 34(3), 505–512.        [ Links ]

4. Biham, E. (1994). New types of cryptanaly tic attacks using related keys. Journal of Cryptology 7(4), 229–246.        [ Links ]

5. Biham, E., A. Biryukov, and A. Shamir (1999a). Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials. In Eurocrypt 1999, Proceedings, Volume 1592 of Lecture Notes in Computer Science, pp. 12–23. Springer.        [ Links ]

6. Biham, E., A. Biryukov, and A. Shamir (1999b). Miss in the middle attacks on idea and khufu. in FSE 1999, Proceedings, Volume 1636 of Lecture Notes in Computer Science, pp. 124–138. Springer.        [ Links ]

7. Biham, E. and A. Shamir (1993). Differential Cryptanalysis of the Data Encryption Standard. Springer Verlag.         [ Links ]

8. Biryukov, A. (2005). Some thoughts on time–memory –data tradeoffs, http://eprint.iacr.org/2005/207.        [ Links ]

9. Biryukov, A. and A. Shamir (2000). Cyptanalytic time/memory/data tradeoffs for stream ciphers. In Asiacrypt 2000, Proceedings, Volume 1976 of Lecture Notes in Computer Science, pp. 1–13. Springer.        [ Links ]

10. Biryukov, A. and D. Wagner (1999). Slide attack. In FSE 1999, Proceedings, Volume 1636 of Lecture Notes in Computer Science, pp. 245–259. Springer.        [ Links ]

11. Borst, J., B. Preneel, and J. Vandewalle (1999). Linear cryptanalysis of rc5 and rc6. In FSE 1999, Proceedings, Volume 1636 of Lecture Notes in Computer Science, pp. 16–30. Springer.        [ Links ]

12. COPACOPANA (2006). A codebreakerfor des and other ciphers.        [ Links ]

13. Denning, D. (1982). Cryptography and data security. Addison Wesley.        [ Links ]

14. EFF (1998). Electronics Frontier Foundation: Cracking DES. O'Reilly and Associates.        [ Links ]

15. ETSI/SAGE (2002). Specification of the a5/3 encryption algorithms for gsm and edge, and the gea3 encryption algorithm for gprs, document 1: A5/3 and gea 3 specifications.        [ Links ]

16. Fiat, A. and M. Naor (1991). Rigorous time/space tradeoffs for inverting functions. In STOC 1991, pp. 534–541.        [ Links ]

17. Gilbert, H., H. Handschuh, A. Joux, and S. Vaudenay (2000). A statistical attack on rc6. in FSE 2000, Proceedings, Volume 1978 of Lecture Notes in Computer Science, pp. 64–74. Springer.        [ Links ]

18. Good, T. and M. Benaissa (2005). Aes on fpga from the fastest to the smallest. In CHES 2005, Proceedings, Volume 3659 of Lecture Notes in Computer Science, pp. 427–440. Springer.        [ Links ]

19. Handschuh, H. and H. Gilbert (1997). X² cryptanalysis of the seal encryption algorithm. In FSE 1997, Proceedings, Volume 1267 of Lecture Notes in Computer Science, pp. 1–12. Springer.        [ Links ]

20. Hellman, M. (1980). A cryptanalytic time–memory trade–off. IEEE Transactions on Information Theory 26, 401–406.        [ Links ]

21. Hong, J. and P. Sarkar (2005). New applications of time memory data tradeoffs. In Asiacrypt 2005, Proceedings, Volume 3788 of Lecture Notes in Computer Science, pp. 353–372. Springer.        [ Links ]

22. Kumar, S., C. Paar, J. Pelzl, G. Pfeiffer, and M. Schimmler (2006). Breaking ciphers with copacobana–a cost–optimized parallel code breaker. In CHES 2006, Proceedings, Volume 4249 of Lecture Notes in Computer Science, pp. 101–118. Springer.        [ Links ]

23. Lai, X. (1994). Higher order derivatives and differential cryptanalysis. Communication and Cryptography, 227–233.        [ Links ]

24. Matsui, M. (1993). Linear cryptanalysis method for des cipher. In Eurocrypt 1993, Proceedings, Volume 765 of Lecture Notes in Computer Science, pp. 386–397. Springer.        [ Links ]

25. Matsui, M. (1994). The first experimental cryptanalysis of the data encryption standard. In Crypto 1994, Proceedings, Volume 839 of Lecture Notes in Computer Science, pp. 1–11. Springer.        [ Links ]

26. Mentens, N., L. Batina, B. Preneel, and I. Verbauwhede (2005). Cracking unix passwords using fpga platforms. In SHARCS 2005, Proceedings.        [ Links ]

27. Mukhopadhyay, S. and P. Sarkar (2006). Application of lfsrs for parallel sequence generation in cryptologic algorithms. In Applied Cryptography and Information Security 2006 (ACIS'06) in conjunction with ICCSA 2006, Proceedings, Volume 3982 of Lecture Notes in Computer Science, pp. 426–435. Springer.        [ Links ]

28. Oechslin, P. (2003). Making a faster cryptanalytic time–memory trade–off. In Crypto 2003, Proceedings, Volume 2729 of Lecture Notes in Computer Science, pp. 617–630. Springer.        [ Links ]

29. Quisquater, J. and J. Delescaille (1989). How easy is collision search? application to des. In Eurocrypt 1989, Proceedings, Volume 434 of Lecture Notes in Computer Science, pp. 429–434. Springer.        [ Links ]

30. Quisquater, J. and F. Standaert (2005). Exhaustive key search of the des: Updates and refinements. In SHARCS 2005, Proceedings.        [ Links ]

31. Quisquater, J., F. Standaert, G. Rouvroy, J. David, and J. Legat (2002). A cryptanalytic time–memory tradeoff: First fpga implementation. inFPL 2002, Proceedings, Volume 2438 of Lecture Notes in Computer Science, pp. 780–789. Springer.        [ Links ]

32. Shimoyama, T., M. Takenaka, and T. Koshiba (2002). Multiple linear cryptanalysis of a reduced round rc6. In FSE 2002, Proceedings, Volume 2365 of Lecture Notes in Computer Science, pp. 76–88. Springer.        [ Links ]

33. Shimoyama, T., M. Takeuchi, and J. Hayakawa (2002). Correlation attack to the block cipher rc5 and simplified variants of rc6. In 3rd AES Candidate Conference.        [ Links ]

34. Wagner, D. (1999). The boomerang attack. InFSE 1999, Proceedings, Volume 1636 of Lecture Notes in Computer Science, pp. 156–170. Springer.        [ Links ]

35. Wiener, M. (1996). Efficient des key search. In Crypto 1993 (rump session presentation). Reprint in Practical Cryptography for Data Internetworks, William Stallings editor IEEE Computer Society Press, pp. 31–79, 1996.        [ Links ]

36. Wiener, M. (2004). The full cost of cryptanalytic attacks. Journal of Cryptology 17(2), 105–124.        [ Links ]